Log4J vulnerability

[luigidellaquila]

Hi all,

tl;dr: we are lucky: OrientDB is NOT affected.

Since I got many private messages asking if/how OrientDB is affected by Log4J vulnerabilities, I thought it's better to post a specific, public message about this.

The simple and complete answer is: NO, OrientDB is NOT affected by these vulnerabilities.

If you check the POM files of old releases, you will see that some Log4J libraries are linked as TEST dependencies. This means that

• Log4J was used by a few internal tests, so it's not a source of attack
• Log4J libraries are NOT shipped with the distributions
• Log4J dependency is NOT propagated to projects that have OrientDB as a dependency (client or embedded, it makes no difference)

Since we were on the topic, we also reviewed the test dependencies and realised that we didn't really need Log4J, so we are removing it completely, also from the test scope. Again, it has no effect on the production installations, since Log4J is not a production dependency and is not in the release.

Thanks!

Luigi

[zbubric]

Hi @luigidellaquila ,

can you, please, confirm that 'NOT AFFECTED' status is applicable also for 2.2.X track?
I tried to analyse dependency tree and found usage of log4j 1.2.16.jar but, also, it seems that log4j v2 is present as transitional dependency (used by) of Groovy 1.8.9?
Also, on mvnrepository site, log4j vulnerabilities are still enlisted for Orient v3 so, I don't know is there any way to update that informations (as you said, Orient is not affected)?

BR
Zoran